from the dumbest-ideas-ever dept

We already did a post exploring the ridiculous background and bad assumptions of the so-called IP Commission Report, but we're going to explore some of the "recommendations" of the report as well. In that first post, we noted that the basis, assumptions and methodology of the report were all highly problematic, so it should come as little surprise that the "recommendations" that come out of it are equally ridiculous.

Let's start with the one that has received the most attention: the fact that the report recommends a "hack back" legalization, to allow those who feel their (loosely defined) "intellectual property" has been infringed to "hack back" at those who infringe. As Lauren Weinstein summarizes, this proposal more or less is a plan to legalize malware against infringers. Of course, this kind of idea is not new or unique. It's been around for a while. Almost exactly ten years ago, Senator Orrin Hatch proposed allowing copyright holders the right to destroy the computers of anyone infringing. The specifics here are explained over two "suggestions" that, when combined (hell, or even individually), are somewhat insane for anyone even remotely familiar with the nature of malware. First up, legalizing some basic spyware/malware:

Support efforts by American private entities both to identify and to recover or render inoperable
intellectual property stolen through cyber means.

Some information or data developed by companies must remain exposed to the Internet and
thus may not be physically isolated from it. In these cases, protection must be undertaken for
the files themselves and not just the network, which always has the ability to be compromised.
Companies should consider marking their electronic files through techniques such as “meta-tagging,”
“beaconing,” and “watermarking.” Such tools allow for awareness of whether protected information
has left an authorized network and can potentially identify the location of files in the event that
they are stolen.

Additionally, software can be written that will allow only authorized users to open files containing
valuable information. If an unauthorized person accesses the information, a range of actions might
then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer
could be locked down, with instructions on how to contact law enforcement to get the password
needed to unlock the account. Such measures do not violate existing laws on the use of the Internet,
yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for
law enforcement to become involved.

Basically, malware/DRM-on-steroids. As if that will work. Anyone who had even a modicum of experience with DRM or watermarking knows that these things aren't difficult to get around, and are basically a huge waste of time and money for those who employ them. The idea that they might then lock down entire computers if an incorrect file gets onto one seems even more ridiculous. Given how often DRM causes problems for legitimate users of the content, you can imagine the headaches (and potential lawsuits) this kind of thing would lead to. A complete mess for no real benefit.

So, then, they take it up a notch. If bad DRM/watermarking isn't enough, how about legalizing the pro-active hacking of infringers? No, seriously.

Reconcile necessary changes in the law with a changing technical environment.

When theft of valuable information, including intellectual property, occurs at network speed,
sometimes merely containing a situation until law enforcement can become involved is not an entirely
satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls
for creating a more permissive environment for active network defense that allows companies not
only to stabilize a situation but to take further steps, including actively retrieving stolen information,
altering it within the intruder’s networks, or even destroying the information within an unauthorized
network. Additional measures go further, including photographing the hacker using his own system’s
camera, implanting malware in the hacker’s network, or even physically disabling or destroying the
hacker’s own computer or network.

Notice how that recommendation gets even more insane the further you read. "Retrieving" info? Okay. "Destroying info on an unauthorized network"? Yeah, could kinda see where someone not very knowledgeable about computers and networks thinks that's a good idea. "Photographing the hacker"? Well, that's going a bit far. "Implanting malware in the hacker’s network"? Say what now? "Physically disabling or destroying the hacker's own computer or network"? Are you people out of your minds?

This isn't just a bad idea, it's a monumentally dangerous idea that will have almost no benefit, but will have tremendously bad and dangerous consequences. Hell, today we already have to deal with a plethora of bogus DMCA takedown notices. Imagine if that morphed into bogus malware attacks or destroying of computers? It makes you wonder how anyone could take anything in the study seriously when you read something like that.

To be fair, the authors of the report say they don't recommend legalizing this stuff yet, but immediately make it clear that something like this is going to need to happen in the future, because "the current situation is not sustainable." Based on what? Well, as we explained in the first post about this report, that's mostly based on the authors' overactive imaginations, rather than anything fact-based.

Reader Comments

including actively retrieving stolen information, altering it within the intruderís networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own systemís camera, implanting malware in the hackerís network, or even physically disabling or destroying the hackerís own computer or network.

Not really surprising. And I'm sure it would be 100% accurate and not accidentally do that to innocent people ever...

Response to: Tim K on May 28th, 2013 @ 8:10am

Funniest bit? With all their suggestions about hacking computers to place malware/spyware, and retrieve info on potential infringers, they don't seem to realize that would make any evidence they might present completely and utterly useless in any legal case it might be brought up in, as the person who's computer was hacked could just say they planted the 'illegal' files.

Of course given that lot's aversion to anything and everything involving the legal system that isn't using it to pass laws to protect themselves from having to adapt, I'm sure they consider that a feature, not a bug. 'This is a copyright case, which means the accused is presumed guilty until they can prove their innocence, and since the only evidence they can present is inadmissible due to both parties having had access to it, it's down to our word versus theirs, which is an automatic win for those making the accusations'.

Also of note, if it suddenly becomes legal to plant malware/spyware on the computers of anyone suspected of having pirated files, companies around the US are going to go absolutely nuts hacking their competitors, as all they'd need to do to justify it would be to claim that they thought the other company had pirated files on their servers.

Re:

they don't seem to realize that would make any evidence they might present completely and utterly useless in any legal case it might be brought up in, as the person who's computer was hacked could just say they planted the 'illegal' files.

You're laboring under the assumption that anything the "find" would be used in a law enforcement action.

After all, if you have the legal right to act as judge, jury, and executioner, why would you bother with a trial?

Moreover, this has nothing to do with actually stopping "piracy" - it's real purpose is to stop competition. You wanna silence the TPB movie? Claim that it infringes your copyright, upload a copy with a virus and destroy the computer of anyone who downloads it. Wanna "get back" at someone who criticizes you? Hack the computer of anyone who downloads "Homeland".

Re: Re:

It seems more like a vigilante right. Eye for an Eye, I have no idea about how they would ever get past first, fourth, eighth or fourteenth amendment rights with something even resembling what they write, but it is reasonable to be concerned...

Re:

"Also of note, if it suddenly becomes legal to plant malware/spyware on the computers of anyone suspected of having pirated files, companies around the US are going to go absolutely nuts hacking their competitors, as all they'd need to do to justify it would be to claim that they thought the other company had pirated files on their servers."

Better yet, it would basically legalize the activities of "organizations" like anonymous. Everyone infringes copyright at some point, especially the copyright maximalists. I can only imagine the hilarity of anonymous LEGALLY pulling apart all the IAAs byte by byte.

Re:

Someone dumb enough to use the term "through cyber means" to describe something being done over the internet. I'd be laughing at that one for hours if it wasn't my head this impending disaster was hanging over.

Where do the malware vendors go

Interesting to see how say Symantec can differentiate between the bad malware and... Good malware?(No such thing) And if they do find a way; Doesnt that then kill their credibility in the Virus/Malware arena? Why would I want to use a product that selectively allows spyware? What a 3 ring circus of clowns our lawmakers have become.

Re: Where do the malware vendors go

Symantec and McAffee already do this. There are Windows hack tools to bypass WPA that are in no way harmful to anyone. These are marked as 'malware' simply because microsoft doesn't like them. Many of the smaller AV companies are doing the same thing ( Comodo, AVG, Kaspersky ). Yes, this does call their credibility into question.

Well, it's obvious what we should do then, in the name of copyright. The government should set up massive servers that everyone logs into from dumb terminals and uses government approved software to view and manipulate files. We would, of course, have to outlaw owning personal computers that can operate in any way outside that network, and all file storage would be on their servers as well. That way they can view our files and computing habits accordingly. You would then pay a fee based on what software packages you or your business would be allowed to access.

See, I've just solved the copyright problem, since nothing could exist in digital form that was not approved. In fact, all data could be government approved. Wouldn't that be dandy.

Re:

Re:

.. and your nation. In which case your gouvernment (were it any good) would promptly replace those people on ground of endangering national security.

I mean, private people can advocate anything, but if they're officials, proposing ideas like this in an official role at least warrants immediate dismissal, if not an investigation for high treason (trying to subvert national security etc...).

It's not sustainable for the current plutocracy. The current plutocrats want to be able to continue to make money and do little to earn it while forcing laws that are unfairly enforced on everyone else. They have gotten away with it for this long but people are catching up and their business model is not sustainable. They may have to actually work for a living instead of relying on bought laws (ie: 95+ year copy protection lengths and retroactive extensions, a one sided penalty structure, govt. established broadcasting and cableco monopolies for private and commercial use, govt. established taxi cab monopolies, etc...).

First off rootkits are hidden from the OS discovering it. Doesn't mean it's gone, only that it isn't visible to detection through the OS. If you can discover what the rootkit folder is named, as in the first letter or digit or two, you can add to the rootkit whatever it is you like, say like more malware. By trying a series of digits and letters you can find what it is, say like a* or $*. It won't show you it took it but you will know by the absence of an error. So any hack with a few hours work at best will be able to access it and use this rootkit for their own purposes.

As far as permission to use malware, lots of companies are unofficially already doing this under the table., The RIAA has a long history dating back to the Gnutella networks of using malware methods. The first one off the top of my head is the old Loudeye that was hired to serve up malware on file sharing networks. It started out returning bogus search results in file sharing networks and expanded beyond that. Loudeye opened up a second branch called Overpeer.

Shall we play a game?

The only thing a move like that would accomplish is to start a full scale war of attrition on the Internet. I hope they table this for the utterly stupid idea it is before killer bots, drive-by malware and DDoS exchanges become the norm.

Cowboy style "justice" may appeal to our baser instincts. But anybody can assemble a posse. And the people who are asking for a blanket authorization of vigilante responses might want to consider that any number can play that game if you abandon good laws and decent behavior.

And when it comes to that sort of technology and creativity, I think the 'court advantage' is squarely with the "rest of the world" rather than corporate security and IT departments

The Wild Wild West

If this were to be made into law then basically we would have how the West was won cyber-style. Whomever can draw his pistol (malware/virus) the quickest wins.
Personally in a war of hackers vs. Everyone Else my bet is with the hackers winning the Cyber-West.

Wow we would enter the age of trolling. No one would ever have to learn how to hack to destroy another computer.
Example on a soundmixing forum:
Guy: "Does anyone have a good recording of birds singing?"
Troll: "Sure no problem."
*Sends recording to guy named Birds_01.ogg*
*Guy opens Birds_001.ogg and discovers that it is really a copyrighted song*
Computer of guy: "You have been deemed guilty of copyright infringement and your files are now locked. Please report for public execution at your nearest MIAA center."

That is gonna be "sooo fun" for the rest of us (not trolls).
And to think that at one time not too long ago, I had an almost childish excitement for the future. I seem to have lost that in the last couple of years due to morons like this.

Re: Am I becoming a conspiracy nut???

I find the same thing increasingly hard. It would seem that the US government (among others) is riding the "property" part of "intellectual property" in order to shut people up, by stuffing the free speech genie of The Internet back into the lamp. Since property rights are generally stronger then free speech rights, making every idea into "property" allows us to hand off enforcement of property rights to some police-type administrative organization, and thus administratively effectively censoring a lot of speech.

To be fair, the authors of the report say they don't recommend legalizing this stuff yet, but immediately make it clear that something like this is going to need to happen in the future, because "the current situation is not sustainable.

Which translates to the authors of the proposal not smoking enough crack yet to push for implementation of insane Big Brother DRM, but enough to come up with such lunacy. In the future, when their smoking efforts will progress so sustain their growing appetites, they can get to pushing the idea into action.

Re:

I think they want to err on the side of caution. What they are proposing has no walk on earth and could actually be construed as "conspiracy to commit cyber crime" or however the government would put it.

Justification!

"Why did you take down the hospital network, leading to problems in retrieving patient info that lead to 8 deaths?"
"Someone there downloaded Fast and Furious 26: Fasterer and Furiouserer"
"There you have it your honour, justifiable homicide!"

Re: Re: Alternative OS

OS can be defended against malware, but the sneaky problem is that if such malware becomes legal, DMCA will make defending against it illegal! I.e. security measures will be rendered "circumvention tools" and will be banned from legal application distribution. These lunatics know what they are doing, that's why it's important to repeal this legal pile of garbage.

haven't read all the replies so may have been posted already. the freakin idiots that come up with this crap always leave out the thing that is going to harm the most. that is when the 'back doors' are opened by those outside the USA. what is going to happen then? what is the USA going to do when all the 'foreign' software does something similar? do these idiots think that the only people to get 'unauthorised' copies of something are outside the USA? give me strength!!

The amusing part is that the truly hardcore pirates will not be affected. I never got a malware from 'infringing' content I downloaded. Ever. But I did have trouble with the infamous Sony Rootkit. Ah the irony.

Does anyone in their right mind think that real people who pirate would be calling the cops for the key? Please. The key would be all over the internet in a day. Barring that, reloading the OS would eliminate the issue.

The people sharing files would take about 2 minutes after it was discovered to spread the word, ensuring that almost no one got this malware.

It's obvious it hasn't been well thought out. But then idiots don't tend to think very deeply.

Weapon

> The idea that they might then lock down entire computers
> if an incorrect file gets onto one seems even more ridiculous.
> Given how often DRM causes problems for legitimate users
> of the content, you can imagine the headaches (and potential
> lawsuits) this kind of thing would lead to.

This would be a helluva weapon for disruptive groups like Occupy that hate big corporations and banks. They could easily send one of these protected files to the entire corporate email list, and every secretary, mail boy, and assistant will then try and open it, resulting in a huge percentage of the company's computers locked down for a day or so.

"disabling or destroying the hackerís own computer or network"

This would lead to all out cyberwar against the organization involved in the illegal detruction of other peoples stuff. If they attacked/destroyed your network or computer by mistake, wouldn't you be wanting their heads mounted on somebody's wall. Yeah.. I thought you might. Corps acting in this manner, would destroy themselves in very short order. From a public affairs view, it would be the final nail in the coffin.

No way this could backfire

"That One Guy" stole my idea. ;)
What would happen if anyone (rival companies, evil hackers, hacker-activists, etc) decided to watermark and plant fake files on people's computers? Then what happens when the real company sends a malware attack onto these computers?

But most of all, what ever happened to the idea of due process of law? There's the fact that the company should prove the file is infringing, then they should prove you did it on purpose. Like we've seen with false takedown notices, will there be any repercussions for false malware attacks? I don't think the RIAA can just say "oops, my bad" when they take down a college's network because one person named their class project with the same name as a Hollywood movie.
However, it would be beyond hilarious if the automated takedown company (which so many companies seem to use) attacked NBC's own website for "illegally" hosting its own shows.

But, as usual, there are no technical details to back up this plan: just some vague ideas about what "should be done". What would happen if some IT guys (or any IT guys) were to explain that none of this is actually feasible? Or like some other posters are saying, does anyone care about the feasibility as long as they look like they're "doing something".